DISA looks to the cloud for answers to DOD's enterprise

Cloud computing is playing a significant role at the DOD and in its IT future, but security hurdles remain

By Kimberly Johnson

Nov 15, 2012

Cloud computing is playing a significant role at the Defense Department and in its IT future, but security hurdles remain, according to a top Defense Information Systems Agency (DISA) official.

Cloud computing is revolutionizing the IT world, and it is expected to swell into a $42 billion business within four years. DOD is getting on board, too, already benefitting from cloud infrastructure for e-mail, said Henry Sienkiewicz, who in October became the Defense Information Systems Agency’s vice chief executive for information assurance at Fort Meade, Md.

“When we look across the entire cloud spectrum, we recognize that DISA has an integral part in pretty much every aspect, from everything from infrastructure to platform as a service, [and] applications as a service,” Sienkiewicz said. “When we talk about infrastructure, we have had our network running under the DOD brand of global content delivery systems. That has been a great service, saving all sorts of bandwidth for many years now. And we continue to expand that year after year,” he added.

DOD has taken to the cloud for an enterprise e-mail offering, which now serves more than 500,000 users. “We’re on target to support the entire Army in the near future,” he said. “That is a great instance of a cloud offering that we’re providing the DOD within the department.”

DISA is also using cloud offerings for an enterprise portal service internally, which enhances the ability for collaboration, he added.

Defense officials will soon be looking for more from the cloud. “For platform as a service, sort of a virtual provisioning of machines on the fly, I think you all will want to stay tuned to this channel as we are starting to launch some exciting initiatives. DISA has been a pioneer in that space. Almost four years ago, we launched RACE, our Rapid Access Computer Environment. We’ve modified it since. We’ve been working very closely with the Air Force and other mission partners to do other provisioning,” he said.

The Air Force is actively working in providing a very dynamic, robust cloud infrastructure using DISA-provided hardware and software, while using some of their own service middleware on top, he said. Additionally, the Army is launching a project using an Ozone Widget framework, but it will be hosting inside the DISA environment. DISA itself is also moving its enterprise e-mail and portal services into sustainment as true service offerings, Sienkiewicz added.

Security

While DOD’s computing future is sure to include the cloud, security concerns remain largely because its tactics, techniques and procedures have not yet been set.

“We really look at cloud offerings in three ways: a private DOD cloud, a commercial offering closed inside the department, then we look at using a public cloud,” Sienkiewicz said. “We, inside of DISA, have obviously been very focused on providing that private cloud. So enterprise e-mail and enterprise share point are very much inside that.”

DISA also supports the FedRAMP (Federal Risk Authorization and Management Program) initiative for the public use of the cloud, he said. “So how the federal government is going to use FedRAMP as a way to onboard offerings is completely integral to our approach. Recognize that we are still very concerned about separation of content. There isn’t a comfort zone when it comes to having military [data] colocated in the same virtual environment with other commercial offerings,” he said. “If there is the possibility of litigation, we really believe that the cloud providers need to be able to ensure our data does not get wrapped up in any other litigation issues,” he said.

“We really do believe that as we’re on-ramping our data to a public cloud offering, that those providers really do have clear control [of] where the data resides and who else we’re colocated with… We really have a lot of concerns about making sure we have positive control of data, not to dictate how the cloud providers are doing their business, but rather to provide safeguards for the military and the taxpayers,” he added.

Cloud computing is fundamental for the Joint Information Environment (JIE) and both the enterprise information environment, as well as the tactical information environment, he said. “That is the only way we are going to have core data centers that are interoperable and can transfer workload [between data centers] in a load-balanced fashion. If there is a possibility of malicious activity against one data center, we are able to go and dynamically move that workload so that there is no outage to the rest of the environment,” Sienkiewicz said.

Information Assurance

Maintaining information assurance and mission assurance requires DISA have the ability to know where data is, where it is being used, as well as understanding other contextual impacts that go along with providing data, he said.

“The cloud and the way that we’re moving and implementing the cloud does provide a series of challenges because there is a culture of other attack vectors in the environment that are a little bit different. Virtualization provides a series of nuanced attack vectors, which if you’re just doing single machine provisioning, you don’t generally worry about,” Sienkiewicz said. “As we move into this greater Joint Information Environment -- the cloud underneath the covers -- we’ve got to make sure that we’re able to analyze very authoritatively what is going on dynamically inside the environment and what is happening on our perimeters.”

The key, Sienkiewicz says, is ensuring data integrity and security. “How do we ensure that access control is appropriate? How do we ensure that on-ramping is also appropriate and that there are the proper perimeter defenses that go along the environment?” Just because something is already in a cloud offering doesn’t necessarily mean it’s robust enough for the Defense Department, he said. “That’s a nuance that at times we have to actually work to educate some of our partners about. There are great applications out there, and sometimes there are other enhancements that need to occur in order for them to effectively support us.”